X

Hacking the Defcon badges

Defcon badges, specially designed to be hacked, were turned into a polygraph, blue box dialer, sound sensitive blimp navigator and a device for defeating facial recognition systems at the hacker conference this year.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
5 min read

Joe "Kingpin" Grand, the designer of the Defcon badges, wearing one of the highly coveted Uber badges that winners of certain contests are awarded that grants life-time access to Defcon. The art on the badge is by Eddie Mize. Eddie Mize

Most badges from conferences and trade shows end up in the trash. Not so the badges from the Defcon security show, which are stylized, mysterious, and highly customized electronics equipment designed to be hacked.

Instead, they end up as collector's items. Bidding on eBay for a Defcon 17 badge from last weekend had reached $81 on Tuesday with three days to go, while a 2007 badge was at $33.99.

The Defcon badges and badge hacking contest, both highly anticipated at the conference each summer, not only give the hackers a mental challenge to figure out what the devices are capable of doing, but they serve as tools for participants to demonstrate their talent at coming up with innovative hacks.

"Each year we push the limits of printed circuit board design techniques and try to show off devices and technologies attendees might not have seen before," Joe "Kingpin" Grand, who has designed the Defcon badges for the past four years, said in an interview on Tuesday. "We are doing things on circuit boards now that clearly have never been done before."

This year's badge was the most sophisticated yet. It doesn't just have a circuit board on it; it is the circuit board. It runs on a 3-volt battery and has a built-in microphone and a multicolored LED (red, green and blue) that reacts to sound by changing color and brightness and by blinking.

The microphone picks up noises, such as conversation and music, and the LED pulses to it. The LED will even flash "SOS" in Morse code when the sound is extremely loud for a period of time--an eardrum protection feature that would surely be useful at the Defcon parties where loud Techno music is the standard.

The badge also has a battery-saving feature and goes to sleep if the environment is quiet, waking occasionally to listen for sound before hibernating some more if it remains still.

The microphone is not a recording device (as some suspected), but the badge can be modified to capture sound for playback. One hacker did just that by attaching an SD (Secure Digital) card reader to the back and modifying the code so it would store the microphone input, Grand said. That effectively turned the badge into a bug that could be used to eavesdrop on unsuspecting bystanders.

Photos: Defcon badge inspires hacks

See all photos

The design is slick and aesthetically pleasing and the badge itself is thin, light, and not bulky. The front has multiple layers of silk screen graphics.

There are seven different types of badge for the different participants: Human, Press, Speaker, Vendor, Contests, Goon (security) and Uber, which is a highly coveted badge that winners of certain contests receive, giving them lifetime access to Defcon. Each type of badge has its own shape. Like a puzzle, they form an image when assembled all together.

Soldering wires to pins and pads

Grand, whose Grand Idea Studio develops and licenses electronic products, chose an MC56F8006 Digital Signal Controller manufactured by Motorola spin-off Freescale for the processing. He surrounded the chip with test points that provide access to interfaces on the chip.

Hackers can wire three of the test points to the corresponding test points on other badges enabling a multi-badge communications interface for creating a network of badges that can blink in unison. If any badges are connected, the Human badge becomes the master and controls the LED output of all of them.

The Defcon 17 press badge hides some nifty features. James Martin/CNET News

The badges, which were manufactured in China and held up in U.S. Customs until shortly before the show started on Friday, include a Static Serial Bootloader that allow attendees to load on their own programs and firmware. All it requires is a simple connection to a PC and a terminal program, like HyperTerminal, to upload custom code, Grand said.

He designed in some hidden features, as well. For instance, if a certain frequency of high-pitched sound--a 1,000 Hertz sine wave generated from a computer or iPhone, say-- is emitted near the microphone, the badge will blink a secret in Morse code. The message is the URL for a formerly secret Web site that has additional information on the badges.

While this year's badge was designed as a sound-activated LED gadget, last year's badge functioned as a TVBGone, able to remotely turn TVs off, as well as a file sharing device. They had an SD memory card so that badge holders could transmit files and receive them from other badges over infrared. In 2007, the LEDs scrolled a programmable message on the badge.

With the contest, Grand and other judges, including Defcon founder Jeff Moss, are looking for the most creative, unique or mischievous badge hacks and modifications that weren't intended.

The first place winner of the Defcon badge hacking contest went to Zoz Brooks, who has a Ph.D in electrical engineering and computer science from MIT and was one of Grand's co-stars on the Discovery Channel TV series "Prototype This."

Brooks modified a hat into an anti-surveillance device by wiring up the brim with LEDs. When you turn on a device controlled by the badge all the lights blink at a certain frequency that generates enough optical noise to defeat facial recognition systems.

For the second part of his project, Brooks modified a badge from last year's Defcon to create a device that can help someone escape detection by infrared motion detection sensors that are temperature sensitive. He added a temperature sensor to the badge that indicates when the room is warm enough for someone to start moving so as not to trigger the motion sensor. A motor on the badge controls two foot-shaped pieces of plastic so that they move at the pace needed to evade detection--two inches per second, giving an indication of how slow someone's feet need to move.

The second place winner of the Defcon badge hacking contest went to a group that created what they called a "Sound-Fearing Blimp." They wrote custom software for the badges and hung three of them to the bottom of a toy blimp. Each badge measured the sound level coming from its microphone and set the speed of its individual drive motor accordingly, steering the blimp away from areas with greater noise levels. The badges were connected together to communicate between themselves.

Third place went to "Solder Guy," who added a speaker and keypad and turned the badge into a multi-function dialer that in the vein of classic phone phreaking could be used for making free long distance calls as a blue box. "He didn't demonstrate that part because technically it would be illegal," Grand said.

One of the more unusual of the 23 contest submissions was a badge as polygraph device. It used galvanic skin response and measured the heart rate to try to determine whether an individual was answering honestly or not to questions posed.

"It didn't place, but it was neat," Grand said. "They tested it on me (with only about five questions)...and it seemed to work. It was convincing."